Recent Drone Attacks in Saudi Arabia
This emerging issues article examines the critical need for public and private sector organisations, especially Critical National Infrastructure (CNI), to reconsider current strategic-level thinking on building institutional and operational resilience in response to novel and complex challenges posed by the utilisation of technological innovation for terrorist purposes. Though the focus here is on drone attacks, the principles and themes are of wider applicability to other contexts of technological risk.
The recent terrorist attacks against the Abqaiq and Khurais oil installations in Saudi Arabia have once again raised the issue of how best to counter and prepare for the misuse of technological innovation, specifically here drones.
Clearly, these drone attacks were carefully targeted against high value assets for maximum impact, namely the world’s largest petroleum-processing plant run by the state-owned Aramco, representing 50% of Saudi Arabia’s crude oil output. The immediate impact of the attacks was to reduce the global supply of oil by approximately 5% and to trigger an oil price soar of 15% increase, the largest jump in the Brent benchmark for approximately 30 years.
At the time of writing, there is ongoing debate as to who the true perpetrators were, with the most likely suspects being narrowed down to either Yemen’s Houthi rebels (aligned with Iran) or Iran itself. The focus here, however, is not to engage in analysis or debate as to whether and why the hybrid attacks were carried out by these or other state or non-state actors; rather it is to consider the even bigger, pressing, and recurring global challenge as to how public and private entities, in particular critical national infrastructure (CNI), may improve their resilience to such scenarios which are likely to become more commonplace. Certainly, there is a general feeling that what we have just witnessed in Saudi Arabia is just the tip of the iceberg in terms of the as-yet unrealised potential of drone technology to be used for malicious purposes.
Indeed, similar style drone attacks have occurred previously in the Middle East region, such as the ones carried out earlier this year against the Shaybah oilfield in August and against pumping stations as well as a significant pipeline in May, also within Saudi Arabia. As one commentator has observed, ‘The cheap, nimble weapon that can easily evade air warning systems is posing a novel defence challenge for the world’s largest oil exporter — also one of the world’s biggest arms buyers — and other countries in the region.’ Similar threats have been experienced elsewhere in the region, such as in 2018 when Israel shot down an explosive-laden Iranian drone, which is currently facing a novel emerging threat of having to deal with drone swarm attacks by Hezbollah.
Threats and Vulnerabilities to Drone Attacks a Global Challenge
There is no room for complacency in that these threats and vulnerabilities are not confined to any one country, a particular region or a specific sector. One only needs to fly over oil and gas installations, airports, ports, power grids, water/desalination sites and so forth anywhere in the world to sense their vulnerability to malicious drone attacks by terrorists, organised criminal groups or other criminals. In addition, though aerial attacks are currently the most likely form of drone attack other sources of threat are likely to emerge too. For instance, it is only a matter of time before other forms of lethal and difficult to detect weapons become more prevalent as part of next-generation technologies, such as (semi-) autonomous maritime drones capable of intelligence gathering and weapon delivery. Certainly, observations relating to current resilience vulnerabilities experienced by oil and gas as well as other CNI within the Middle East – to the effect that ‘[their] responses [to the adversary] is not efficient’ and that oil-dependent countries ‘have relatively badly-protected installations…… in a target-rich environment’ – is a recurring global phenomenon.
The associated challenges of effectively countering drone attacks are well documented. One is the ease of technological access: ‘Drone technology, albeit of varying degrees of sophistication, is available to all – from the US to China, Israel and Iran – and from the Houthis to Hezbollah.’ Accessibility is facilitated too by the relatively low cost. The estimated cost of the drones used to carry out the oil installation attacks last weekend is $15,000. Some unsophisticated home-made drones may only involve minimal cost, such as those constructed by Syrian opposition forces out of plywood, plastic sheeting and polystyrene. A key tension here is how to regulate drone technology, which may have dual-use capability, in a manner which does not stifle legitimate industry growth, exports, accessibility and usage especially since the vast majority of drone deployment is legitimate including for security, disaster risk/relief and resilience purposes.
In contrast, drone countermeasures typically require significant investment and resources by public or private sector users. If a military defence approach is adopted, then the cost can be in the region of $3-4 million per missile should Patriot or similar technology be deployed against threatening drones, which has been one approach adopted by Israel. Similarly, any dedicated counter-Unmanned Aerial System (UAS) requires significant resources to build, often accompanied by extensive procurement timelines since the ‘[defence] industry is not geared up to provide the numbers that are required to protect these facilities’. As Jack Watling at the Royal United Services Institute in London has commented, ‘Anti-drone defence infrastructure is expensive to build, including GPS jammers to neutralise drone navigation, search and track facilities to identify incoming drones, and missile and radar-guided canon interceptors to destroy them.’ In order to ensure optimum effectiveness, not least in response to rapidly evolving technological developments by adversaries seeking to undermine counter-UAS, such a multi-layered approach – which typically consists of detection, tracking and interdiction – will often be necessary, though without any guarantee of success.
Building Increased Resilience as Part of the Solution
All of these challenges and accompanying vulnerabilities point to the critical need to rethink, or at least augment, current approaches. Indeed, it is interesting to note that a recent Trends Alert on ‘Greater Efforts Needed to Address the Potential Risks Posed by Terrorist Use of Unmanned Aircraft Systems’ (May 2019) noted that: ‘While further technological UAS countermeasures will be required, and an improvement in the effectiveness of existing UAS counter-measures, it will be difficult for countermeasures in many Member States to keep pace with UAS technology. It is important therefore that Member States’ responses become less technology-reliant and more holistic.’ In response, the alert encouraged Member States ‘to pursue a multi-stakeholder approach’, interestingly acknowledging the need for ‘[m]easures to strengthen..…business resilience in the event of incidents involving UAS’ as well as ‘[g]reater coordination between different parts of Government to help ensure a more joined-up response’.
Technological responses to threats posed by drones often form a vital and integral part of building increased resilience, but generally will not offer comprehensive solutions alone. Notably, one commentator has observed in relation to the recent drone attacks in Saudi Arabia that ‘Effective protection on the scale of the Abqaiq facility, which spans several kilometres, is almost impossible. “There is no technologically perfect solution to this”’, including in response to drone warfare proliferation. Nor is it realistically possible to prevent some precursors to terrorist drone attacks such as the gathering of basic intelligence (e.g., the capturing of GPS coordinates) by the mobile phones of those working on or visiting CNI facilities or through commercial satellite coverage.
In order to maximise the effectiveness of counter-UAS technology and improve CNI resilience, it is suggested here that technological solutions relied upon should form part of a broader, comprehensive, fully integrated and (where appropriate) multi-hazard resilience planning approach. As figure 1 illustrates, which only begins to scratch the surface, resilience issues relating to the protection of CNI and other valuable assets is a complex tapestry of inter-connectedness and inter-dependency accompanied by many diverse sources of direct and indirect threats, risks, hazards and vulnerabilities.
Despite this, a recurring weakness in current approaches to resilience planning, including for the protection of CNI, is that all relevant security and disaster risk factors are not fully considered or integrated thereby reducing the ability of organisations to prevent or at least mitigate potentially catastrophic disaster impacts and losses through improved preparedness. Typically, more conventional, siloed paradigmatic approaches to security and disaster risk/management are adopted. For instance, as the UNCTED Trends Alert (May 2019) identifies, standard governmental approaches to counter-UAS comprise of regulation and security frameworks, such as (i) pilot licensing; (ii) aircraft registration; (iii) insurance; and (iv) restricted zones. Whilst these are themselves important measures as part of the overall tapestry of responses, they form only one aspect of institutional (focussing especially here on states) or organisational resilience, and typically will be more traditional in their approach.
Conventional, single-dimensional approaches can be especially problematic for the management of threats and risks posed by novel and emerging technologies since these typically straddle both security and disaster risk management paradigms, including in hybrid threat and terrorism contexts, as is illustrated by figure 2. It is the inter-connected space where both paradigms overlap where the most rethinking and increased investment are needed from a resilience perspective in order to prevent or at least reduce current critical gaps and vulnerabilities. Failure to do so is akin to putting unfermented new wine (i.e. technological innovation including drone related) into old, used wineskins (i.e. inadequate conventional paradigms and thinking which alone are unable to adapt to fully reflect all relevant factors) which is likely to result in failure, damage and loss. These themes are explored in more detail in relation to Maritime Autonomous Surface Ships (MASS) and so will not be repeated here other than to say that the identified principles apply equally to a drone context.
Available Tools to Strengthen Resilience
There are a number of recent and ongoing significant steps towards strengthening CNI resilience especially which merit attention by organisations seeking to strengthen current levels of resilience in response to the rising threat of drone attacks. Such initiatives identify transferable principles and good practices as well as developed guidelines, indicators, standards, etc, illustrated by national case studies. Key objectives include better informing and assisting public and private actors facing the challenge of how best to protect valuable assets and essential services, including CNI, in an increasingly complex and multi-faceted threat and risk environment. Of particular note is growing recognition of the critical importance of better integrating traditional security with disaster risk management factors within national strategies and policies, recognising too that responding effectively to terrorist challenges is not the sole prerogative of government, rather also requires (pro)active ‘all-of-society’ engagement including by the private sector.
These key themes and goals are reflected within UN Security Council Resolution 2341 (2017) on the ‘Protection of Critical Infrastructures and Enhancement of States’ Capacities to Prevent Attacks against Critical Infrastructure’, a milestone as the first ever global instrument dedicated to the protection of CNI from attack especially by terrorists. It urges all key stakeholders to be actively involved in the protection of CNI. Specifically, it calls upon ‘Member States to consider developing or further improving their strategies for reducing risks to critical infrastructure from terrorist attacks’ framed around the disaster risk management principles of ‘prevent, protect, mitigate, [investigate], respond to and recover from damage from terrorist attacks on critical infrastructure facilities’ (Preamble, para. 5). Other disaster risk and crisis management principles are increasingly embedded in the global conversation too, such as the need for ‘[c]ross-sectoral risk assessment, including vulnerabilities, interdependencies, capabilities, and cascading effects of impacts on critical infrastructure’ to be reflected within prevention and preparedness strategies (para. 5.2).
The Resolution was followed up with The protection of critical infrastructure against terrorist attacks: Compendium of good practices (2018) compiled by CTED and the UN Office of Counter-Terrorism. It is a comprehensive and practical guide of especial benefit to those public and private sector actors highlighted by the Security Council, namely those ‘who have responsibilities for designing, improving or implementing policies and measures to protect [Critical Infrastructures] against terrorist attacks’. Notably, the Compendium observes that ‘[t]he growing awareness that we are now confronted with a new type of security environment…. has not been matched by corresponding levels of preparedness.’ (p. 14).
A number of international initiatives exist too aimed at protecting vulnerable targets, including CNI, specifically from UAS and other emerging technology. For example, the UN Office of Counter-Terrorism (UNOCT), in close cooperation with CTED, is launching a Global Programme to Counter Terrorist Threats against Vulnerable Targets which will identify and develop policies and practices to strengthen the protection of vulnerable targets, including through enhanced international cooperation, public-private partnerships and sustainable security approaches which has a specific UAS focus. Specialist work is underway too by other organisations, including the Global Counterterrorism Forum, INTERPOL, and International Civil Aviation Authority, though the focus here is likely to be from more conventional law enforcement, safety etc rather than integrated security with disaster risk management perspectives.
In parallel are other initiatives, such as the Sendai Framework on Disaster Risk Reduction (2015-30) which is the globally agreed roadmap for reducing disaster risk aimed at all stakeholders and sectors. It articulates a number of important principles applicable to building increased resilience in a UAS/counter-UAS context, such as the need for increased innovation and cross-sectoral engagement together with the development of multi-disciplinary, multi-hazard (as is appropriate) approaches to improve current levels of disaster prevention, mitigation of disaster risk and loss, as well preparedness, all of which assist with strengthening institutional, organisation together with social/community resilience. As a recent UNCTED report on ‘soft targets’ identified, there is a need for a ‘combination of physical security and preparedness measures, accompanied by steps to build societal resilience against such attacks and threats’ (p. 4).
The Need for Increased Investment, Institutional/Political Will and International Cooperation
Though important tools and initiatives exist aimed at better integrating security and disaster risk factors to strengthen operational resilience, including at the operational level, ultimately these will only be useful – including against drone attacks – if they are implemented. This may require some public and private sector organisations to reconsider their strategic level interests and decision-making – not least in relation to profit margins and shareholder interests – in order to invest more in comprehensive resilience planning. In some instances, it will require genuine organisational willingness – especially at middle and executive management levels – to critically review and, where necessary, allow significant shifts in current thinking, priorities, resource allocation, etc.
Such institutional and organisational change can be uncomfortable and may take some considerable effort to achieve, yet true resilience will be unrealisable without this. There are though immediate wins to be gained, some of which are noted briefly here: (1) such investment would augment the effectiveness of any expensive counter-UAS technology procured and would be expected to reduce disaster impacts, loss and damage in circumstances where any installed counter-UAS technology was not (fully) successful in neutralising drone attacks, not least any ensuing cascading disaster effects; (2) the review and revision of resilience planning systems and processes are typically significantly cheaper than equipment procurement as well as (3) more agile to respond and adapt to rapidly evolving novel threats and risks.
At the institutional (especially state) level, significant increased political will and international cooperation will be essential too if current levels of resilience are to be strengthened against the misuse of technological innovation for terrorist or other criminal purposes. This will require addressing not only the most obvious direct sources of threat, risk and vulnerability some of which have been alluded to above, but also less evident yet equally significant indirect sources which should form part of strategic-level resilience planning too. These issues are briefly illustrated here by supply chain vulnerability as well as gaps within the current international legal framework governing serious crimes.
With respect to supply chain vulnerability, a key challenge is preventing drone technology from falling into the wrong hands. The primary focus of Security Council Resolution 2370 (2017) is on the flow of weapons, including UAS, to terrorist and criminal groups, especially ISIL and al Qaeda; Security Council Resolution 2341 (2017) referred to earlier also recognises the importance of supply chain integrity (Preamble). Consequently, Member States are exhorted to take measures to prevent and disrupt procurement networks for these weapons, systems and components. For further exploration and analysis of these issues see, e.g., Don Rassler, ‘The Islamic State and Drones: Supply, Scale, and Future Threats’ (2018). One of the key issues that this article highlights is the need for effective international cooperation among both public and private sector stakeholders in the control and export of dual use technology with both offensive and defensive capability.
These issues are illustrated starkly by a case study in which ISIL was able ‘to acquire commercial quadcopter drones and related components that were used for defensive and offensive purposes through a global and layered supply chain that involved purchases from at least 16 different companies that were based in at least seven different countries’ (p. iv). This off-the-shelf technology was then creatively adapted with low-tech components and add-ons into weapons. In response, Rassler argues that such a rise in hybrid warfare ‘will likely require the development of new, hybrid public-private sector approaches to effectively manage, track, and degrade future hybrid threats that leverage and/or are based off of commercial systems’, as well as increased levels of due diligence. These should extend to the delivery (including tracking) of UAS equipment to conflict zones as well as the investigation and mapping out of supply chain networks to identify and close current gaps (pp. v, 24).
Concerns here are not confined to the purchase of off-the-shelf drone technology, rather also comprise a range of other technological innovations such as 3D-printing which is already being used by terrorist organisations, including ISIL, to create drone parts. This is especially worrying since significant gaps exist currently within the international legal framework criminalising serious crimes committed by terrorist organisations and organised criminal groups. I wrote about these challenges previously (2018) to encourage the further exploration of such pressing issues, though there has been no evident progress to date.
Of particular relevance to the current discussion, the article examines how intangible technology transfer (ITT) – which could include the sharing of electronic blueprints of drones, weapons systems, etc for criminal purposes and/or the use of technology (e.g., the internet or GPS) for these purposes – is largely uncovered by the existing legal framework which was drafted primarily before such technological innovations were conceived. This gap is relevant to preventing drone and weapon blueprints from falling into the hands of those with criminal intent, including terrorist networks, whether they originate from the designs of legitimate manufacturers or are ‘homegrown’ in nature. Certainly, risks accompanying battlefield technological innovation cannot be ignored – such as the development of military 3D drone printing capability – which is vulnerable to virtual (i.e. blueprints) and physical (i.e. the printing hardware) theft.
This short reflection has sought to highlight the critical need for public and private sector organisations, especially CNI, to reconsider current strategic-level thinking on building institutional and operational resilience especially in response to novel challenges posed by the nefarious use of technological innovation. Though the focus here is upon drone attacks, the principles and themes are of wider applicability to other technological risk contexts.
In particular, it has sought to argue that although counter-UAS technology will often form an essential, integral part of resilience planning, that primary or sole reliance upon such technological solutions is unlikely to result in optimal levels of resilience. Not only is there recognition that such technology alone is unlikely to fully counter all forms of threat and attack, but it is unable to deal with the aftermath of a terrorist drone attack. Consequently, it is critical that the adequate investment of resources is made in comprehensive resilience planning that integrates counter-UAS technology within broader comprehensive, multi-hazard threat and risk analysis, planning assumptions, developed systems, training, etc.
In doing so, such planning should not be confined to conventional paradigmatic approaches to security/ law enforcement and disaster risk, rather seek to put the new wine of technological innovation into wineskins (paradigms) which recognise and reflect the integrated nature of security and disaster risk factors which are especially prevalent in relation to novel and emerging technologies including drones.
It is evident too that if the increasingly complex, challenging and rapidly evolving landscape of security threats and disaster risks attributable to drone and other technological innovations (e.g., 3D printers of drone parts) is to be most effectively countered and prepared for, that a dynamic approach to resilience planning will be necessary. This will need to incorporate not only more obvious, direct sources of threat, risk, etc, but also less obvious, indirect yet no less significant ones, illustrated here by existing supply chain vulnerabilities and gaps within the international criminal law architecture. These will be more challenging to tackle since they will require significant levels of multilateral will and investment across a broad range of public and private sector actors. Yet, if the devastating, and no doubt long lasting, disaster impacts experienced by the Saudi Abqaiq and Khurais oil installations during last weekend’s attacks are not to become a recurring global phenomenon, such institutional and political resolve will need to be found.
Katja Samuel, the Director of GSDM, is an international lawyer specialising in security, disaster risk and resilience planning with a particular interest in technological risk.